Solved

UDP Syslog Traffic versus Raw Network Capture

Posted on 2013-12-20
3
482 Views
Last Modified: 2013-12-22
I have a diagram where there is a line of  UDP syslog traffic flowing from a switch to a web security device and another line extending from the switch to a live-human monitoring station.
What is the difference between UDP syslog traffic and raw network traffic?
0
Comment
Question by:brothertruffle880
3 Comments
 
LVL 21

Accepted Solution

by:
eeRoot earned 167 total points
Comment Utility
Depends on how the capture tools have been configured.  But generally speaking, syslog servers will show a log of events (alerts, informational, debugging, etc) while monitoring network traffic shows every packet that goes across your network.  Network monitors (such a spanned/mirrored ports or hardware tabs) show much more info, but it can be too much info sometimes.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 167 total points
Comment Utility
Log vs packets. The traffic payload details are mostly found in packet or raw traffic while the syslog would have normalised and surface the events depending how device source is configured. Syslog is at max based on rfc 5424 (http://tools.ietf.org/html/rfc5424) at 2048bytes. Packet capture has much larger size storage needed, e.g. it can be est 32 MB file saved every 15 minutes

Specifically the raw syslog data can be substantial depending on typical severity level that is set e.g. level (0 to 7): emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7). The higher the level, the more messages (and types of messages) that are generated.

You tend to pipe the SPAN port of switch which carries the same raw traffic to further analysis such as AV scan, content filter, breach detection system passive inline deployed. in other words with raw packet traffic you can do more but with log you only get what the source wanted you to see. SIEMS  is mostly the reason for having centralised logging of all syslog piped to it.

While there are no strict guidelines pertaining to the log format, most syslog messages are generated in human-readable form with the assumption that capable administrators should be able to read them and understand their meaning.  Note that standard syslog protocol does not have mechanisms to provide confidentiality for the messages in transit. In most cases, passing clear-text messages is a benefit to the operations staff as compared to the raw packets from the wire.  The operations staff may be able to read the messages and associate them with other events seen from other packets crossing the wire to track down and correct problems.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 166 total points
Comment Utility
One way to think of the difference between syslog data and raw network traffic is the difference between a MS Word Document and a file.  

While a MS Word Document and a MS Excel Spread sheet are both files, what make them differnet/unique is the content within the file.  So MS Word document is a subset of "files."

Syslog data is really a subset of "raw network data."

As the others have posted, my guess in your case, the "raw network data" is a result of port mirroring (either using SPAN or RSPAN or something like that) vs. a connection that is setup to send traffic to a syslog server.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now